Nssm224 Privilege Escalation Updated -

Penetration testers have refined the nssm224 attack chain. Here is the modern methodology:

Set-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-41E9-8E09-387D72F48587 -AttackSurfaceReductionRules_Actions Enabled

This rule blocks “Process creations from PSExec and WMI commands” – also catches NSSM-based service tampering in some builds.

Get-CimInstance Win32_Service | Where-Object 
    $_.PathName -like "*nssm*" -and
    (Get-Acl -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$($_.Name)").Access 

---

NSSM allows users to install a service that does not have native Windows service support. Its key feature is that it runs as SYSTEM (the highest privilege level on Windows) by default when installed as a service.

Common use cases include:

But this convenience comes with a dangerous side effect: if an unprivileged user can modify what NSSM executes, they can achieve immediate privilege escalation to SYSTEM.

---

Summary: nssm (the Non-Sucking Service Manager) is a popular open-source Windows service helper used to wrap arbitrary executables as Windows services. A privilege-escalation issue tracked as "nssm224" refers to a specific vulnerability class (historic or hypothetical) where misconfiguration or flaws in how nssm installs or configures services allow a local low-privileged user to escalate to SYSTEM. This article explains how such escalation typically works, demonstrates a plausible exploitation path, outlines detection and mitigation strategies, and provides recommended secure alternatives and hardening steps.

Note: this write-up is intended for defenders, system administrators, and security professionals for risk assessment and remediation. Do not use it for unauthorized testing.

Table of contents

Scenario A — Replaceable service binary nssm224 privilege escalation updated

Scenario B — Registry-based ImagePath modification

Scenario C — DLL search order hijack

Notes on prerequisites:

Longer-term fixes:

Check service ImagePath and account:

View registry parameters:

Check file/directory ACLs:

Check service security descriptor:

Change service permissions (example to remove change-config from non-admins — use srvany/sc.exe or SubInACL carefully):

Note: crafting service SDDL strings is error-prone; validate in test environments.

Final notes

Related search suggestions (You may ignore these or use them to run further research.)

The "NSSM224 privilege escalation" topic refers to security vulnerabilities in the Non-Sucking Service Manager (NSSM)

version 2.24, a popular Windows tool used to run applications as services. Although NSSM 2.24 has been a standard release for years, recent security advisories in 2024 and 2025 have highlighted critical privilege escalation risks when it is bundled with other software. National Institute of Standards and Technology (.gov) Review of NSSM 2.24 Privilege Escalation Risks

The primary vulnerability is not always in NSSM's code itself, but in how it is installed and configured by third-party applications. Insecure Inherited Permissions (CVE-2024-51448) Recent disclosures for products like IBM Robotic Process Automation

(versions 21.0.0 through 23.0.18) show that installers often place the binary in directories with insecure permissions. Mechanism: Non-privileged users can replace the legitimate Penetration testers have refined the nssm224 attack chain

with a malicious executable because the file inherits "Write" or "Modify" permissions from its parent directory. When the service restarts, the malicious binary runs with SYSTEM or Administrator privileges , leading to a full system compromise. Service Wrapper Misconfiguration Other vendors, such as Phoenix Contact

, have reported similar issues where misconfigured permissions on the

file in their management services allow low-privileged attackers to escalate rights. Abuse by Ransomware

Threat actors continue to use NSSM 2.24 as a tool for persistence. For example, the ELENOR-corp ransomware

(active in early 2025) has been observed deploying NSSM to configure malicious services after gaining an initial foothold through other means. National Institute of Standards and Technology (.gov) Summary Table: Key Vulnerability Data CVE-2024-51448 Detail - NVD 18 Jan 2025 —

The classic attack vector for NSSM is a combination of two weaknesses:

If a standard user can write to C:\nssm-2.24\ (or C:\Program Files\NSSM\ if the installer was run with lax permissions), they can replace nssm.exe with a malicious binary.

In the ever-evolving landscape of Windows privilege escalation techniques, few identifiers have maintained the staying power of NSSM-224. Originally documented as a proof-of-concept for abusing the Non-Sucking Service Manager (NSSM) utility, this attack vector has recently resurfaced in penetration testing reports and red team operations. Security researchers have released updated findings on how attackers leverage NSSM version 2.24 (and adjacent builds) to bypass standard security boundaries. This rule blocks “Process creations from PSExec and

This article provides a deep dive into the updated mechanics of the NSSM-224 privilege escalation, why it remains effective against partially patched systems, and how defenders can detect and mitigate the risk—even as Microsoft continues to refine Windows service security.

# Restrict change config to administrators only
sc sdset VulnService "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)"